About Provisioning

Provisioning is the process of notifying an application whenever user or group data changes in Oracle Internet Directory. Provisioning events arise whenever any change occurs to a relevant user's or group's status or information. An application subscribes to provisioning when it is first installed by creating a provisioning profile in the directory. Subscription occurs once for each application.

Provisioning involves--but is not the same as--synchronization. At times, you may want to synchronize all entities in an application-specific directory with those in the central directory, but provision the application to receive notification only about some of them. For example, the directory for Oracle Human Resources typically contains data for all employees in an enterprise, and you would probably want to synchronize all of that data with the central directory. However, you might want to provision your application to receive notification only when members join or leave a particular group.

Provisioning Procedures

In a directory-enabled environment, provisioning involves:

Creating the user in the central directory

Enrolling the user in the application--that is, creating application-specific user accounts and entitlements

Synchronizing those accounts and entitlements with the central directory

For example, provisioning a user to access an e-mail application involves:

Creating the user in the central directory

Enrolling the user in the e-mail application. This involves setting up an e-mail account and quota for that user and creating the necessary public folders.

Synchronizing the user information in the e-mail application with that in the central directory

You can change user and group information from any of the following:

Oracle Human Resources or other applications integrated with the Oracle Directory Integration Platform

User Enrollment in Applications

User enrollment in an application can happen either automatically or manually.

Automatic Enrollment

An example of this is sometimes called "on-demand enrollment." Instead of continuously synchronizing with the central directory, the application creates the user footprint when the user first accesses the application. Oracle9iAS Single Sign-On enrolls a user accessing an application in this way.

Manual Enrollment

The administrator provides application-specific information by using an application-specific administrative tool.

For example, you might want users to obtain their manager's approval before enrollment. In this case, rather than use on-demand enrollment, you might want the application administrator to enroll the user manually after the necessary approvals are complete.

Provisioning Information

Provisioning a user typically involves creating two kinds of information:

Shared user metadata in Oracle Internet Directory

This data includes the user's identity, credentials, profiles, and preferences. It is represented by standard directory user attributes--for example, mailing address or language preferences.

Application-specific user data in the application

This could include, for example, data in the user's e-mail message folder, or, for the calendaring application, the user's appointment data. It is typically represented by using application-specific conventions either in the directory or in application-specific repositories.

How the Oracle Directory Provisioning Integration Service Retrieves Changes from Oracle Internet Directory

In an Oracle Directory Provisioning Integration Service environment:

Oracle Internet Directory acts as the central repository for all user and group information

Applications subscribe to receive the provisioning events by creating provisioning profiles in the directory

The Oracle Directory Provisioning Integration Service monitors Oracle Internet Directory for any changes to user or group information, and conveys these changes to applications in the form of provisioning events

To retrieve changes from Oracle Internet Directory, the Oracle Directory Provisioning Integration Service subscribes to the Oracle Internet Directory change log. The changes in the change log are filtered so that only the needed changes get passed to the applications. For example, if an application is interested only in the events of a particular subtree, then the Oracle Directory Provisioning Integration Service notifies it of those changes only.

Figure 29-1 shows the relation between components in an Oracle Directory Provisioning Integration Service environment.

The Oracle Directory Provisioning Integration Service retrieves changes to user and group information from Oracle Internet Directory and sends them to subscribed applications. In this example, the applications are Oracle9iAS Portal, Oracle Unified Messaging, Oracle Internet File System, and third-party enrollees.

How an Application Obtains Provisioning Information by Using the Oracle Directory Provisioning Integration Service

The Oracle Directory Provisioning Integration Service monitors Oracle Internet Directory for any changes to user or group information. It conveys these changes to applications in the form of provisioning events.

Figure 29-2 shows the life cycle of an application that obtains the provisioning events.

Figure 29-2 How an Application Obtains Provisioning Information by Using the Oracle Directory Provisioning Integration Service

Information for the Oracle Directory Provisioning Integration Service to service the application--for example, the kind of changes required, or scheduling properties

Once the necessary configuration information is in Oracle Internet Directory, the Oracle Directory Provisioning Integration Service periodically sends the changes to the application. The changes it sends are based on application-specific database connect information.

De-installation from Oracle Directory Provisioning Integration Service occurs in one of two ways:

The application de-installs itself automatically

The administrator manually unsubscribes it by using the Provisioning Subscription Tool

Install the applications and, when the Provisioning Subscription Tool prompts, supply the information that the applications need to subscribe to the Oracle Directory Provisioning Integration Service. This enables them to receive provisioning events.

Periodically monitor the status of the provisioning event propagation for each application.

Managing the Oracle Directory Provisioning Integration Service

This section describes:

How to manage the Oracle directory integration server

How to manage provisioning profiles

Managing the Oracle Directory Integration Server

When the Oracle directory integration server is invoked in the default mode, it supports only the Oracle Directory Provisioning Integration Service, and not the Oracle Directory Synchronization Service.

Table 29-1 Entry-Level Privileges

Delete some rogue provisioning profiles that the applications did not bother to delete

However, Oracle directory integration servers should not have access to add new provisioning profiles.

Provisioning administrators

Yes

Yes

Yes

The provisioning administrators group requires all privileges.

Application entities

Yes

No

Yes

Application entities themselves cannot create provisioning profiles, nor can they view another application's profiles. However, once a profile has been created, they can browse, modify, and delete their own profiles.

Provisioning profiles

Yes

No

No

Provisioning profiles also have an identity in the directory. For Release 9.2, this identity is not used, and hence it has the privilege only to perform a self-browse.

All other users

No

No

No

All other users should not be able to either browse, add, or delete provisioning profiles.

Table 29-2 Attribute Level Privileges Granted to Entities

Stores details of the connection information to the target application, including the password to the target system

orclODIPProfileInterfaceAdditionalInformation

Stores any interface-specific information

Table 29-3 describes the access control for the secure attributes for the main entities operating on the provisioning profiles.

Table 29-3 Access Control for Secure Attributes

User Category

Read

Write

Search

Compare

Explanation

Oracle directory integration servers

Yes

No

Yes

Yes

Oracle directory integration servers need access to the secure attributes to complete their processing cycles. However, they do not need write access to them because these attributes should only be controlled by the Application Entities as well as Provisioning Admins.

Provisioning administrators

Yes

Yes

Yes

Yes

Provisioning administrators must be able to solve integration problems, and this requires full access to the secure attributes.

Application entities

Yes

Yes

Yes

Yes

Application entities are the real owners of the secure attributes, and this requires full access to the secure attributes.

Provisioning profiles

Yes

No

Yes

No

Provisioning profiles do not need to write or compare these attributes. As a result, they need only read and search privileges.

All other users

No

No

No

No

All other users receive no privileges.

Table 29-4 shows the access control for all other attributes in the provisioning profiles.

Table 29-4 Access Control for All other Attributes

User Category

Read

Write

Search

Compare

Oracle directory integration servers

Yes

Yes

Yes

Yes

Provisioning administrators

Yes

Yes

Yes

Yes

Application entities

Yes

Yes

Yes

Yes

Provisioning profiles

Yes

Yes

Yes

Yes

All other users

No

No

No

No

Unlike secure attributes, the other attributes require a less strict access control. Full access is given to all entities involved in the provisioning process: Oracle directory integration servers, provisioning administrators, application entities, and provisioning profiles. All other users receive no access to these attributes.

Troubleshooting the Oracle Directory Provisioning Integration Service

This section lists and describes the provisioning error messages you may see, and discusses actions to resolve them. These messages appear in the provisioning error messages attribute.

Table 29-5 Provisioning Error Messages

Message

Reason

Remedial Action

LDAP Connection Failure

The Oracle Directory Integration Platform failed to connect to the directory server.